Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: metadata-match-regexannotations:policies.kyverno.io/title: Metadata Matches Regexpolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Pod, Labelpolicies.kyverno.io/description: Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met.spec:validationFailureAction: Auditbackground: falserules:- name: check-for-regexmatch:any:- resources:kinds:- Podvalidate:message: "The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$"deny:conditions:all:- key: "{{ regex_match('^v[0-9].[0-9].[0-9]$','{{request.object.metadata.labels.\"corp.org/version\" || 'empty'}}') }}"operator: Equalsvalue: false
This policy prevents the use of the default project in an Application.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.